More App Store hackery may be afoot

It appears that a Chinese developer may have copied the trick used last …

WiiSHii Network's apps are climbing the charts in the travel category.

Last weekend there were reports that iTunes and the App Store had been hacked. However, it turned out that a developer had used other users' iTunes accounts to buy his apps repeatedly, quickly moving the apps up the App Store sales ranking. It now appears that another developer, WiiSHii Network, has started doing the same thing.

Ars reader Harper Reed contacted us to detail the problem. His account was used earlier today to purchase 34 of WiiSHii Network's apps without his permission, for a total of $168.89. The apps appear to mostly be travel guides for cities in China, and come in both English and Chinese versions—oddly enough, Reed ostensibly bought both.

As expected, WiiSHii's apps are now climbing the charts in the travel category. [EN]GYOYO Shanghai Travel Helper and [EN]GYOYO Beijing Travel Helper are currently at number 7 and 8 on the top paid chart for the Travel category, while [CN]GYOYO Beijing Travel Helper is at number 10.

This is one of the iTunes receipts that Reed got quite unexpectedly.

Apple said that the problem last weekend only affected 400 accounts, which is a minuscule percentage of iTunes users overall, and the developer at fault was removed from the App Store. It was alleged that affected users had easy-to-guess passwords, and Apple insisted that iTunes servers were not compromised. Reed—an experienced e-commerce developer known for his work with Threadless—told Ars that he is convinced there is a more serious security problem that Apple isn't sharing.

Reed's password, a string of random alphanumeric characters, isn't easy to guess, though it is possible that it could be determined by brute force. It seems likely that, even if hackers aren't able to directly access account information directly from iTunes, there is a systematic attempt to acquire valid users' passwords and use the accounts to boost rankings and sales. Worse yet, these same hackers could use the credentials to obtain additional personal information, though iTunes does at least obscure saved credit card numbers.

Reed also noted that iTunes customer support is recommending that customers file a fraud complaint with their credit card company or bank, and request a replacement card—hardly a convenient solution. Attempts to contact Apple for comment were unanswered this afternoon.

Our advice is to be vigilant about purchases showing up on your iTunes account, and to report any problem to iTunes customer service as soon as possible. If you notice strange app purchases from WiiSHii Network or other developers, let us know in the comments.

UPDATE: Just days before we were alerted to this problem by Reed, The Next Web noticed WiiSHii's apps began dominating the travel category in the UK App Store and suspected the developer of engaging in fraud. Since then, the site has received three reports of fraudulent charges for WiiSHii apps from readers.

UPDATE: It appears that Apple has removed WiiSHii Network from the App Store.

Apple needs to find a way to up the security of their users information.

Users need to stop using the same passwords at multiple sites.

His password may have been strong, but if it was stored in plaintext or md5(password) at another site whose database got dumped through a SQL injection attack, it doesn't matter.

Remember the RockYou hack? 30 million passwords in plaintext? Yeah... that's how well many web companies store passwords. Apple may be stronger, but if the email/password combo was gained from somewhere else... *shrug* There's really not much Apple can do about that.

Wouldnt surprise me one bit if CRApple dumps on Reed for not "bringing it to the attention first" and penalizes him for it or some other ignorant shit rather than admit there's a problem on their side.

Wouldnt surprise me one bit if CRApple dumps on Reed for not "bringing it to the attention first" and penalizes him for it or some other ignorant shit rather than admit there's a problem on their side.

He tried, but there was no obvious way to contact them to report the issue, and iTunes customer service rep didn't seem to understand the security implications.

I wonder if the passwords are being stolen by or purchases made by rogue apps?It would be easy to create a fake "iTunes login" dialog in an iOS app, as the standard password screen for accounts is merely a modal text-input dialog. - So phishing is easy. It could also easily be done using JavaScript on a rogue webpage.I also wonder if a rogue app somehow abuse in-app purchase to buy other items?

Wouldnt surprise me one bit if CRApple dumps on Reed for not "bringing it to the attention first" and penalizes him for it or some other ignorant shit rather than admit there's a problem on their side.

He tried, but there was no obvious way to contact them to report the issue, and iTunes customer service rep didn't seem to understand the security implications.

Thanks for clearing that up 'foresmac', I didnt get it from the article, granted I dont read Apple articles as carefully as I read p2p related stuff.

Well, good luck Reed, you're gonna need it.To cite an example, a pal of mine in the UK got the better of a cop who was in the wrong, but the cop still screwed him over on spite on some other bogus charge of jaywalking or some other crap - I hope this article is enough to discourage CRApple from "getting to you" in some other way.

I've had my iTunes account disabled for over a month for a similar incident.

Yeah, while Apple is polite in all the contacts you have with them about this, their charge resolution process is not particularly well thought out. The fact that they have you contact your credit card company to dispute the charge and not do anything else (besides telling you to get a new card - and put it on the account, right Apple? ) is just plain awful.

I of course immediately removed the credit card number from the account, changed my password (it wasn't GREAT, but it wasn't that guessable, now its a pretty solid one, and will change fairly often, IF I KEEP THE ACCOUNT) and had them disable my account to boot till this is resolved... which so far, isn't really happening. Maybe they figure if they can get me to pay the fraudulent app charges it'll be more in the long run than the trickle of stuff I bought legitimately.

Apple really needs to start treating this more seriously and also come up with a better system for resolving this soon, or I do think the problem is going to worse, and certainly the backlash will...

Things they need to do include:1. Stop bundling charges. Get a real merchant agreement going with the credit card companies and always singly charge for any individual purchase. Yes, your statement, if you're a prolific buyer, will be rather full, but at least it will be easier to point out particular charges if you have to.2. Institute app protection limits that users can set somehow. If there's 100+ dollars of app store charges on most peoples accounts (heck, usually 50) in a given day, then that's not normal, at least for me, and I'd like to prevent that from ever happening in the first place.3. Create a REAL fraudulent charge dispute process. Make it obvious how to get there from within both the iTunes software, and the App Store apps on all platforms. Institute real tracking processes and simple ways for users to follow the progress of issues. Too much disappears into a black hole of "well wait and hope" right now.4. If they believe there is a password security problem, then institute policies to promote good password hygene. Regular password changes, minimum password security requirements, smarter security/recovery procedures.

In essence, don't treat customers as if one is hoping we'll fail to resolve the issue and be forced to pay for the fraudulent charges.

Also, this is not to say I think anybody is doing this all that much better. While I admire some aspects of the Android app purchase process, I dread the inevitable day I need to deal with their customer support, since I'm given to understand they have none whatsoever, and get actively hostile if you DARE to call them on the phone.

It seems like iTunes accounts or something like it are prime for virtual credit card numbers. If you have to buy apps, just create a number with a low limit ($20 or less) and short expiry date (6 months or less). That way, even if they hack your account, you won't have to change your "real" credit card.

It seems like iTunes accounts or something like it are prime for virtual credit card numbers. If you have to buy apps, just create a number with a low limit ($20 or less) and short expiry date (6 months or less). That way, even if they hack your account, you won't have to change your "real" credit card.

OR you can not store your credit card information in your iTunes account.

Apple needs to find a way to up the security of their users information.

Users need to stop using the same passwords at multiple sites.

His password may have been strong, but if it was stored in plaintext or md5(password) at another site whose database got dumped through a SQL injection attack, it doesn't matter.

Remember the RockYou hack? 30 million passwords in plaintext? Yeah... that's how well many web companies store passwords. Apple may be stronger, but if the email/password combo was gained from somewhere else... *shrug* There's really not much Apple can do about that.

Wow can I get you to use your awesome mental powers for good rather than simply wasting your genius on Apple comment threads? Since you know what happened in this case, care to predict the World Cup Final scoreline? If you're not willing to deploy your precognitive gifts then perhaps your uncanny ability to blame the victim could get you a job with BP.

Apple needs to find a way to up the security of their users information.

Users need to stop using the same passwords at multiple sites.

His password may have been strong, but if it was stored in plaintext or md5(password) at another site whose database got dumped through a SQL injection attack, it doesn't matter.

Remember the RockYou hack? 30 million passwords in plaintext? Yeah... that's how well many web companies store passwords. Apple may be stronger, but if the email/password combo was gained from somewhere else... *shrug* There's really not much Apple can do about that.

Wow can I get you to use your awesome mental powers for good rather than simply wasting your genius on Apple comment threads? Since you know what happened in this case, care to predict the World Cup Final scoreline? If you're not willing to deploy your precognitive gifts then perhaps your uncanny ability to blame the victim could get you a job with BP.

he used good advice, the words "may" and "if," as well as cited an example.think 2 seconds before rambling nonsense.

It seems like iTunes accounts or something like it are prime for virtual credit card numbers. If you have to buy apps, just create a number with a low limit ($20 or less) and short expiry date (6 months or less). That way, even if they hack your account, you won't have to change your "real" credit card.

OR you can not store your credit card information in your iTunes account.

Too bad you are FORCED to give your credit card information to CREATE an iTunes account.. whether you want to make any purchases or not.

Apple needs to find a way to up the security of their users information.

Users need to stop using the same passwords at multiple sites.

His password may have been strong, but if it was stored in plaintext or md5(password) at another site whose database got dumped through a SQL injection attack, it doesn't matter.

Remember the RockYou hack? 30 million passwords in plaintext? Yeah... that's how well many web companies store passwords. Apple may be stronger, but if the email/password combo was gained from somewhere else... *shrug* There's really not much Apple can do about that.

Wow can I get you to use your awesome mental powers for good rather than simply wasting your genius on Apple comment threads? Since you know what happened in this case, care to predict the World Cup Final scoreline? If you're not willing to deploy your precognitive gifts then perhaps your uncanny ability to blame the victim could get you a job with BP.

he used good advice, the words "may" and "if," as well as cited an example.think 2 seconds before rambling nonsense.

He used "good" advice that a) was super speculative, b) was completely one-sided, and c) ignored the fact that more than one person has had their iTunes account hacked to buy things they didn't actually purchase. I suggest you try and think of the larger context behind the one fellow mentioned in the article and also learn to spot hand-waving that obscures some of the central questions of this affair - namely Apple's reluctance to disclose what exactly happened and their weak remediation process.

Steve was quite pleased with the number of credit cards registered to ITMS during the iOS4 keynote, I wonder how that's holding up now?

I just pulled my CC out of there, and put money in via a gift card instead. My possible damages are now limited to $14.01, with no need to waste time calling my CC company in any event. I don't have to worry about Apple denying me any future software updates because they had to eat a charge reversal. I'll also be more picky spending at the iTunes store, with the inconvenience of having to go out to pick up more gift cards.

I have a prepaid credit card for exactly those kind of situations. I never have more than $20-40 on it—enough to pay for my hosting bill and the odd purchase, but anything bigger will go trough the "find something to buy, load up the credit card with enough cash, spend the money on the goods, have ~$20 again on the CC" loop.

I received an iTunes-styled phishing mail two or three weeks ago. It was reasonably well done. I don't have it anymore, so I can't go back to look at it, but I think phishing might have something to do with this whole thing.

uhm.... i don't understand. If i was in the position to digg out passwords from itunes users... the last thing i would do is BUY my own programmes to promote them... of course the users will notice and you'll be banned and your apps removed and more worse your reputation is ruined.And the best thing... they'll KNOW it was you because you bought your OWN apps... -.- it's like stealing sth and leaving a trail to your house...

I fail to see how this is Apple's fault. iTunes relies of username and password, just like every other online-service does. Now, if that combination was compromised because Apple's system was hacked, then they should be held responsible. But if they rely to phising and the like (like seems to be the case here), it really isn't Apple's fault and there's not much they could do about it. It's users responsibility to make sure that his username/password are safe and they should not give that info out to others.

I fail to see how this is Apple's fault. iTunes relies of username and password, just like every other online-service does. Now, if that combination was compromised because Apple's system was hacked, then they should be held responsible. But if they rely to phising and the like (like seems to be the case here), it really isn't Apple's fault and there's not much they could do about it. It's users responsibility to make sure that his username/password are safe and they should not give that info out to others.

So, you live in the US. Never purchased an app anywhere else. All of a sudden you start buying hundreds of apps, far above your normal usage pattern and from all corners of the world. Given Apple have your security to protect as they hold your credit card details then yes they can do more.

Nobody said it was Apples fault. It is the fault of whoever is committing this. But Apple can certainly do more, would you not agree?

I fail to see how this is Apple's fault. iTunes relies of username and password, just like every other online-service does. Now, if that combination was compromised because Apple's system was hacked, then they should be held responsible. But if they rely to phising and the like (like seems to be the case here), it really isn't Apple's fault and there's not much they could do about it. It's users responsibility to make sure that his username/password are safe and they should not give that info out to others.

I don't think you read the article - it's not "phishing and the like", it's something more serious.

I've had the same happen to me. Only had the password in use on my iTunes account. Only ever used it on my Mac. Suddenly a bunch of charges turn up and Apple says it's not their problem and I have to go through the merry hell of forcing a chargeback from my CC company. No, I didn't get phished. No, there were no viruses on the Mac. No, I have a linux based firewall that logs all the traffic and there was nothing going out that looked remotely trojan-ish.

uhm.... i don't understand. If i was in the position to digg out passwords from itunes users... the last thing i would do is BUY my own programmes to promote them... of course the users will notice and you'll be banned and your apps removed and more worse your reputation is ruined.And the best thing... they'll KNOW it was you because you bought your OWN apps... -.- it's like stealing sth and leaving a trail to your house...

Can't really imagine these guys are really that stupid...

They aren't trying to sell apps or increase their ranking. They are defrauding credit cards, all they want is cash. If they were located in the U.S., then it would be stupid to do it this way, but they aren't. The chances of them being tracked down and put in jail are slim. They only want to hit as many accounts as fast as possible before they are shut down, so rising in rankings is just a side effect of the activity.

Funny how PayPal (the idea, not the company...) seems a good idea these days. Such a central pre-pay system makes all this much more difficult as most people won't keep much in the account...

Same goes for MS points on the Xbox - it may be an inconvenience but having your credit card compromised is a bigger one. And, you can still use the card there-and-then to buy the points. Convenience can go too far.

Also, doesn't Apple keep the cash for a period before it's handed over to the developers anyway? How do they expect this to work when they have such obvious fraud patterns that it's always going to tip Apple off before they release the cash? Assuming Apple have such fraud prevention measures in place I guess...

Then I guess you didn't read very many of the posts above you. Many here said it was Apple's fault because of their poor security. It sounds to me more like phishing and there isn't much Apple can do about that.

I fail to see how this is Apple's fault. iTunes relies of username and password, just like every other online-service does. Now, if that combination was compromised because Apple's system was hacked, then they should be held responsible. But if they rely to phising and the like (like seems to be the case here), it really isn't Apple's fault and there's not much they could do about it. It's users responsibility to make sure that his username/password are safe and they should not give that info out to others.

So, you live in the US. Never purchased an app anywhere else. All of a sudden you start buying hundreds of apps, far above your normal usage pattern and from all corners of the world. Given Apple have your security to protect as they hold your credit card details then yes they can do more.

Nobody said it was Apples fault. It is the fault of whoever is committing this. But Apple can certainly do more, would you not agree?

100% agree, I even think this is Apple's fault to some extend. I really don't get why anybody would think otherwise.There are gzillion ways to protect the account, just the fact that somebody logged into iTunes from different computer or different phone (even in the same country) should raise automatic text message or email notification to user's account. How hard is that?

Oh year it's coming in 2012 as awesome new feature to mobile.me and will cost you $99

It seems like iTunes accounts or something like it are prime for virtual credit card numbers. If you have to buy apps, just create a number with a low limit ($20 or less) and short expiry date (6 months or less). That way, even if they hack your account, you won't have to change your "real" credit card.

OR you can not store your credit card information in your iTunes account.

Too bad you are FORCED to give your credit card information to CREATE an iTunes account.. whether you want to make any purchases or not.

Very scummy of Apple to throw the ball into the account holders court by asking the her to go via the CC company instead of doing something about it via the app store...

Ummm...if charges you didn't make show up on your Credit Card, you should immediately contact your CC company to dispute the charges and change your account number. You should also contact the Credit Bureaus and the Police. Why is Apple telling you the proper procedure "scummy"?

I fail to see how this is Apple's fault. iTunes relies of username and password, just like every other online-service does. Now, if that combination was compromised because Apple's system was hacked, then they should be held responsible. But if they rely to phising and the like (like seems to be the case here), it really isn't Apple's fault and there's not much they could do about it. It's users responsibility to make sure that his username/password are safe and they should not give that info out to others.

You are making a dangerous assumption here. It is not yet known how the accounts were compromised.